CVE-2026-42790

nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-295 — CWE-295 Improper Certificate Validation

CAPEC

• CAPEC-475 — CAPEC-475 Signature Spoofing by Improper Validation

CVSS 4.0 Score

7.6

HIGH

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability description

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.

Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):

First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.

Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.

The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.

This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.

Affected

pkg:otp/public_key

Module	Source File	Routine
pubkey_cert	src/pubkey_cert.erl	pubkey_cert:validate_names/6
public_key	src/public_key.erl	public_key:pkix_verify_hostname/3

Status	Type	Version	Changes / Fixed in
affected	otp ⓘ	1.4	unaffected at 1.15.1.7 unaffected at 1.17.1.3 unaffected at 1.20.3.1 unaffected at 1.21.1

pkg:github/erlang/otp

Module	Source File	Routine
pubkey_cert	lib/public_key/src/pubkey_cert.erl	pubkey_cert:validate_names/6
public_key	lib/public_key/src/public_key.erl	public_key:pkix_verify_hostname/3

Status	Type	Version	Changes / Fixed in
affected	otp ⓘ	19.3	unaffected at 26.2.5.21 unaffected at 27.3.4.12 unaffected at 28.5.0.1 unaffected at 29.0.1
affected	git ⓘ	b0c245e813	unaffected at 0769050c69 unaffected at fb67c6d183 unaffected at 21abed64eb

Workarounds

The verify_fun option in the ssl application can be used to ensure that TLS connections fail if the end-entity certificate is missing the subjectAltName extension or has no domain name. Do not use a verify_fun that accepts the name_not_permitted error.

References

• https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447 vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-42790 related
• https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759 patch
• https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457 patch
• https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a patch

Credits

• Finder: John Downey
• Remediation developer: Ingela Anderton Andin
• Remediation reviewer: Dan Gudmundsson
• Remediation reviewer: Jakub Witczak

CVE record as JSON:  GET /cves/CVE-2026-42790.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-42790.json